Several Zero-Days on Latest WordPress CMS

WordPress CMS is now open to several vulnerabilities that allow an attacker to conduct SQL injection and run a malicious javascript on visitor’s machine over a cross site scripting bug.

Actually the bug exist during the installation process so in order to take control on the remote webserver there are condition required which an incomplete installation of the CMS.

“The WordPress ‘setup-config.php’ installation page allows users to install WordPress in local or remote MySQL databases. This typically requires a user to have valid MySQL credentials to complete. However, a malicious user can host their own MySQL database server and can successfully complete the WordPress installation without having valid credentials on the target system.

After the successful installation of WordPress, a malicious user can inject malicious PHP code via the WordPress Themes editor. In addition, with control of the database store, malicious Javascript can be injected into the content of WordPress yielding persistent Cross Site Scripting.”

To protect your WordPress installation you need to have the latest CMS version and plugins, also it is important to apply best practices provided on the main website: http://codex.wordpress.org/Hardening_WordPress